MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access

Timeline :

Vulnerability discovered by James Forshaw
Patched by the vendor the 2013-03-12
PoC provided by Vitaliy Toropov the 2013-10-23
Discovered exploited into Exploit Kits the 2013-11-13
Metasploit PoC provided the 2013-11-22

PoC provided by :

Reference(s) :

Affected version(s) :

All versions of Microsoft Silverlight 5 bellow version 5.1.20125.0

Tested on :

Windows 7 SP1 with Microsoft Silverlight version 5.1.20125.0

Description :

This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it’s possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This module has been tested successfully on IE6 – IE10, Windows XP SP3 / Windows 7 SP1.